code_chellenge is required

[GRRedWings]

I'm sure I'm going to struggle asking the question correctly, but maybe someone can help me understand.

I have configured a location for AuthType of openid-connect. This works fine with our normal configurations with Azure & Google IDPs.

We are trying to connect to a PingFederate server and we get an error

Error: OpenID Connect Provider error: invalid_request
Description: code_challenge is required.

Based on a little research, I believe that this PF IDP is using PKCE flow. My question is, is it possible to configure something like OIDCResponseType to not use PKCE, or is there a different way I need to configure the AuthType?

We use AuthType of oauth2 for our Android PKCE flow, but when I try to use the same configuration and OAuth2TokenVerify of jwks_uri, I get an Unauthorized error.

Thanks for any help or direction.

[zandbelt]

you can either disable PKCE for the mod_auth_openidc client in PingFederate, or enable PKCE in mod_auth_openidc's config with OIDCPKCEMethod , https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.11.1/auth_openidc.conf#L257-L260

[GRRedWings]

That seemed to work now I get the IDP login page, but when I login I now see one of a couple of errors

OpenID Connect Provider error: Error in handling response type.
OR

if I configure the Response type to be id_token I get
unauthorized_client - implicit grant not allowed for this client

In looking at the first error where I was not setting the response type, is it possible there is aanother config I need to set ?
Or based on some other threads of yours like https://github.com/zmartzone/mod_auth_openidc/issues/215, I'm wondering if there is something with the PF instance that is not configured the way I need it.

As for the second unauthorized client, am I understanding this correct that they are not allowing the id_token response type?

So the long answer is, is there a example or standard setup to use PKCE for browser based auth? I'm just trying to use apache and this module as a proxy to force auth with the IDP before moving forward.

[zandbelt]

OpenID Connect Provider error: Error in handling response type.

the server debug logs will tell you what went wrong; I would not recommend switching to the Implicit grant type as it is deprecated

[eoliphan]

Hi I opened this discussion: #1256, as setting OIDCPKCEMethod to none doesn't appear to work in the latest release